This is an archive of the discontinued LLVM Phabricator instance.

Differential D38214

[analyzer] Fix crash on modeling of pointer arithmetic
ClosedPublic

Authored by alexander-shaposhnikov on Sep 22 2017, 11:23 PM.

Details

Reviewers
NoQ
zaks.anna
Commits
rGf4963ff16263: [analyzer] Fix crash on modeling of pointer arithmetic
rC314141: [analyzer] Fix crash on modeling of pointer arithmetic
rL314141: [analyzer] Fix crash on modeling of pointer arithmetic
Summary

This patch attempts to fix analyzer's crash on the newly added test case (see also https://bugs.llvm.org/show_bug.cgi?id=34374).
Pointer subtraction appears to be modeled incorrectly in the following example:

char* p;
long n = p - reinterpret_cast<char*>((unsigned long)1);

In this case the analyzer (built without this patch) tries to create a symbolic value for the difference
treating reinterpret_cast<char*>((unsigned long)1) as an integer, that is not correct.

Test plan: make check-all

Diff Detail

Repository
rL LLVM

Event Timeline

alexander-shaposhnikov created this revision.Sep 22 2017, 11:23 PM
Herald added a subscriber: xazax.hun. · View Herald TranscriptSep 22 2017, 11:23 PM
alexander-shaposhnikov edited the summary of this revision. (Show Details)Sep 23 2017, 12:32 AM
NoQ edited edge metadata.Sep 25 2017, 2:01 AM

Looks good!

I guess the accurate thing to do would be to return LocAsInteger of type intptr_t of an ElementRegion with index -1 from SymbolicRegion around p. But i'm totally fine with another UnknownVal placeholder until this becomes an actual problem.

NoQ accepted this revision.Sep 25 2017, 2:02 AM
This revision is now accepted and ready to land.Sep 25 2017, 2:02 AM
alexfh added a comment.Sep 25 2017, 5:06 AM

Thanks for the fix!

Closed by commit rL314141: [analyzer] Fix crash on modeling of pointer arithmetic (authored by alexander-shaposhnikov). · Explain WhySep 25 2017, 12:34 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
cfe/
trunk/
lib/
StaticAnalyzer/
Core/
8 lines
test/
Analysis/
6 lines

Diff 116590

cfe/trunk/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp

Show First 20 LinesShow All 720 Lines▼ Show 20 Lines case loc::ConcreteIntKind: {
// Comparing an arbitrary integer to a region or label address is // Comparing an arbitrary integer to a region or label address is
// completely unknowable. // completely unknowable.
return UnknownVal(); return UnknownVal();
} }
case loc::MemRegionValKind: { case loc::MemRegionValKind: {
if (Optional<loc::ConcreteInt> rInt = rhs.getAs<loc::ConcreteInt>()) { if (Optional<loc::ConcreteInt> rInt = rhs.getAs<loc::ConcreteInt>()) {
// If one of the operands is a symbol and the other is a constant, // If one of the operands is a symbol and the other is a constant,
// build an expression for use by the constraint manager. // build an expression for use by the constraint manager.
if (SymbolRef lSym = lhs.getAsLocSymbol(true)) if (SymbolRef lSym = lhs.getAsLocSymbol(true)) {
if (BinaryOperator::isComparisonOp(op))
return MakeSymIntVal(lSym, op, rInt->getValue(), resultTy); return MakeSymIntVal(lSym, op, rInt->getValue(), resultTy);
return UnknownVal();
}
// Special case comparisons to NULL. // Special case comparisons to NULL.
// This must come after the test if the LHS is a symbol, which is used to // This must come after the test if the LHS is a symbol, which is used to
// build constraints. The address of any non-symbolic region is guaranteed // build constraints. The address of any non-symbolic region is guaranteed
// to be non-NULL. // to be non-NULL.
if (rInt->isZeroConstant()) { if (rInt->isZeroConstant()) {
if (op == BO_Sub) if (op == BO_Sub)
return evalCastFromLoc(lhs, resultTy); return evalCastFromLoc(lhs, resultTy);
▲ Show 20 LinesShow All 340 LinesShow Last 20 Lines

cfe/trunk/test/Analysis/ptr-arith.cpp

Show First 20 LinesShow All 105 Lines▼ Show 20 Linesunsigned ptrSubtractionNoCrash(char *Begin, char *End) {
return N; return N;
} }
// Bug 34309 // Bug 34309
bool ptrAsIntegerSubtractionNoCrash(__UINTPTR_TYPE__ x, char *p) { bool ptrAsIntegerSubtractionNoCrash(__UINTPTR_TYPE__ x, char *p) {
__UINTPTR_TYPE__ y = (__UINTPTR_TYPE__)p - 1; __UINTPTR_TYPE__ y = (__UINTPTR_TYPE__)p - 1;
return y == x; return y == x;
} }
// Bug 34374
bool integerAsPtrSubtractionNoCrash(char *p, __UINTPTR_TYPE__ m) {
auto n = p - reinterpret_cast<char*>((__UINTPTR_TYPE__)1);
return n == m;
}